FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 194229



This article describes how to alter the default login-attempt-limit and login-block-time for SSL VPN users.





The default login-attempt-limit for SSL VPN users is 2 and the login-block-time is 60 seconds.
This indicates if user enters incorrect username/password combinations continuously twice, the firewall will block attempts and prompt with message as 'Too many bad attempts. Please try again in few minutes'.
Now, the user has to wait for 60 seconds to try to login again.



To increase or alter the value, configure the desired values using the CLI as below.

config vpn ssl settings
    set login-attempt-limit x          <- Insert the number of attempts to allow in place of x.
    set login-block-time y             <- Insert the number of seconds to block attempts for in place of y.


The above config will help in preventing brute force attacks through SSL VPN.


This method does not apply to SAML user groups. SAML user groups use an Azure application, FortiAuthenticator, or other IDP authentication not in the FortiGate. The FortiGate cannot count each incorrect username/password entry.